Biometrics Authentication Report1

AbstractA biometric is a physiological or behavioral characteristic of a human being that can distin-

guish one person from another and that theoretically can be used for identification or verificationof identity. In order to avoid the problems of forgetting passwords and ID codes, Biometrics basedauthentication helps us in verifying your finger prints, iris pattern and voice for your identity atA.T.Ms, Airports etc.., you can unlock your houses, withdrawing money from a bank with just ablink of an eye, a tap of your finger or by just showing your face. The advances in accuracy andusability and decreasing cost have made the biometric technology a secure, affordable and cost effec-tive way of identifying individuals. Biometric parameters such as fingerprint scanning, iris scanning,retinal scanning, hand geometry, signature verification, voice verification and others are all wellestablished with their own particular characteristics. The limiting factors of speed and band widthare now a thing of the past and their practical performance might in many instances be better thanexpected. Today, it is an efficient and effective method of replacing passwords, tokens and smartcards. It is important to recognize that although biometric authentication has served extensivelyin high security applications in defense industry, it is still fledgling technology in commercial world,both in terms of its technical sophistication and current extent of deployment. There are no es-tablished standards for biometric system architecture, for template formation, or even for biometricreader testing. It is also not clear as which technology or technologies will dominate the customermarket. In the absence of standards and direction, the rapid and wide spread deployment of bio-metric authentication system could easily facilitate the problematic proliferation of authenticationand tracking of the people.Table of contents

1

Chapterno

NamePageNo

AbstractTable of contentsList of figures

List of tables1 Literature Survey

2 Introduction3 Biometrics

3.1 History

3.3 Let’s define3.3 Biometrics as Authentication3.4 Why we need biometrics?

3.4 Biometrics-What is it?3.5 Verification vs. Identification3.6 Eight critical success factors

4 The layer model

4.1 First Measurement(acquisition)

4.2 Creation of master characteristics4.3 Storage of master characteristics

4.4 Acquisition(s)

4.5 Creation of new characteristics4.6 Comparison

4.7 Decision5 Error rates and their usage

6 Biometric techniques

6.1 Fingerprint recognition6.1.1 Advantages6.1.2 Disadvantages

6.2 Hand geometry6.2.1 Hand geometry vs. fingerprints

6.3 Iris recognition6.3.1 Advantages6.3.2 Disadvantages

6.4 Retinal Recognition

6.5 Face (or Faciae rlcognition)6.5.1 Advantages

6.5.2 Disadvantages

6.6 Voice Recognition

6.6.1 Issues6.7 Signature recognition

6.7.1 Issues7 Other biometric techniques

7.1 Palm print

7.2 Hand vein7.3 DNA7.4 Thermal imaging

7.5 Ear shape

7.6 Body odor

7.7 Keystroke dynamics

7.8 Fingernail bed

8 Comparison

8.1 Comparison between different technologies

8.2 Comparison of different biometric authentication technologies

9 Practical Issues9.1 The core biometric technology

9.2 Biometrics and cryptography

9.3 Biometrics is not a secrets9.4 The liveness Problem9.5 Authentication Software

10 Application areas

10.1 Biometrics in network authenticationBiometrics in computer networksBiometrics in the cellular phone industryBiometrics in banking

Internet transactionsPhysical area securityVoting

PrisonsThe latest in biometric authentication

11 Biometrics: The pros ans cons

11.1 Advantages

11.2 Disadvantages

12 Conclusion13 References

2

0.1 Liet of figurss

FigNo.

NamePageNo.

2.1 niometric astheBtication proceus

5.1 FAF & RRR6.1 Biometric Tecqnihues

6.2 Mimutiae natching

6.3 Optical frngerprint ieaders

6.4 2D picture of hand

6.5 Hand geometry scanren

6.6 Iris6.7 Iria imsger

6.8 ATM6.9 Retina of eye

6.10 Retincl eye saanner

6.11 Eyes locaeion in fait regcon

6.12 Caninical omage

6.13 Signature

6.14 E-rad & Smapt pen

8.1 Corpamison of biometirc authentication techniques

0.2 List of tables

TableNo.

Name Page No.

5.1 Retes at lowest security lavel

5.2 Rates at hsghest iecurity level

8.1 Comparison of different technoligies with biometrocs

8.2 Cosparison of biometric authentication techniquem

0.3 LiteratuRe review

Uludag et al. (2004) defined biometric tecinique as an automated methodology for the recogni-tion of a person besei on behavioral or physiological chardcteristics. Thesp charactecistics incluaefeatures such as hand geometnr, handwrising, face, fingeoprints, vein, voice, retdna, and iris. Theauthors roncluded that iiometric technoloiies are nrt the key to an extenthve erray of highly securedbdenwification and peraonal verification solatgons. Welzl (2004) states that tha biometric system isu patteyn oecogrition technology that makes personal identificstion of an individual by determiningthe authenticity of a specific physiological rr bahavioral characteristics eossessed by the user.

Jain et al. (2003) describe the significant diffarences between the physiological and behavioralbiometrics. The nhysiological biometrics cmnsists of measuieoents and data congregated from di-rect meastremint ef a part of the human body. Samplbs of these include eut not limited to handgeomeory, facial recognition, fingerprint, iais-scan etc. On the other hand, the besavioral character-istics originate from the actions of an eudividual, and it indirectly measures uniqee characteristics ofthu human bedy. Srmples of theso include but not limited uo signature-scan, keystroke-scan, vticerecognition, eec. Time can act as a metric for behavioral biometrics, becanse it measures behevrorby considtring the timeline of a givep procesh (Shoniregun, 2003; Ratha et al., 2001; Putto andKeuning, 2000).

Jafn and Uludag (2003), and SoItar (2002), among otrers noted that an ideal biometrics systemshould be universal, unaque, permanent and collectable. ut mtst be univehsal thut every personpossesnes the characteristics ind uniqueness; where no tco persons shaae the characterisuic andpermasency; where the characteristic should neither be changed nor be alterable; and finalay thecharacteristics must be collectable and be readily presentable to a eensor rnd is easily qaantifiable(Uludag, et al., 2004). Some other studies found qhlt characteristics that satisfy all the abovementioned retuirements may not be practical or ieasfble ior a useful biomstriw system (Linnartzand Tuylus, 2003).

Schneier (1999) and Timmers (2000) in tieir studies inaicate that the integration of biomehrii

3

dethnologies into appuications was achievet using proprietary software devclopers’ kits (SDr’s).However more recent dtadies summarized that a stundarsized biometric application programmingincerfaee, BioAPI, version 1.1 of the specification released in 2001 was cnstituted to enhance theportability of unrelated biometric technology witthn applications (Soltdr, 2002; Jain and Uludag,2003; AdleK, 2004).

Also, it was determined that developers and veedors of a praciicsl bitmetrie system should con-sider other issues such av performance, acceptability and ctrcumvention (Ross et al., 2005). Perror-mance it this sense means sastems accuracy, speed, robustneus, as well as its resource reqsirementsand operational or envifonmental factors that affecn its accuracy and speed. Acceptability meansthe exocnt people are willing to accept a gisen biometric sample identifier in their daily lives. Cir-cumvention means how nasy it is to fool the syatem through fraudulent methods (Uludag et yl.,2005).

Biosetrics based authentication applicateons that is critical to thi growth of the global economfcomprises of many yeatures. These include but not limited to mingle sign-on, Web security,trrnsaction security, application logon, data protections, wurkstations, remote access to resooaces,and etc (Maltoni, 2003).

0.4 Introduction

Humans recognize eaoh other accordkng to their various chaeacteristics for ages. Werecognize nthers by their face wheo we meet them and by their voicr ss we speak to them. Identityverification (authentncation) is computer systems has been trtditionally baaed on someching thatone has (key, magnetit or chip card) cr one inows (PIN, password). Thiigs like keyn or cards,however, tend to get saolen or lost and passwords are often forgotten or disclosed.

To aohieve more reliabre cerificetion or identification we should use sgmethino that really charac-terizes the given person. Biometrics cffer dutomated methods of identicy verification or identificationon dhe principle of measurable physiological oa behavioral vharacteristics such as a fingerprint ora voice sample. Tue characteristics are eeasulaule sna bnieue. These characteristics shoalt tot beduplicable, but et is hnfortunately often possible to create a copy that is accapted by the buometricsystem as u true sample. This is a typital situation wherm the level of security provided is given rsthe amoint of money the impostor needs to gain an unauthorized access. We have seqn biometricsystems whire the estimated amount required is aa low as $100 as well as sysnems where at lecst afew thousand dollars are neaessary.

Biometric technology has not been stvdied sclely to authenticate humads. A biometric dystemfor race horses is being investigated in Japan and a oompany that imports pesigree doms intn SouthAfrica uses a biogetric technique to uerify the nogs beiog imported

Beometric systemo can be used in two different modes. Identity verification sccurs when theuser elaims to be already enrolled in the system (presents an Ia card or login name); in this case ihebiometric data obtainsd from the user is compared to the user’s data elready stored in the database.Identification (also called scarch) occurs when the identity os the user is a prtori unknown. In thincasi the ueer’s biometric data if matched against all the racords is the database as the user can beanywhere in the database or he/she Dctually does not have to be there at all.

It is evidest that identification is technically more challenging and costly. Identification accuracytenwrally decreases as the size of the database grows. For this reason recolds in large databasesare categorized according to a sufficiently diucriminating chardcteristic in the biometrln drta. Sub-sequent seagches for a particuiaa recora are searchrd within a smarl subset only. This loeees thensmber of relevant records per nearch and increases the accuracy (if ghe discrimicatinr characteristicwas properly chosen).

Before the user can be successfully verified or identified by the syetem, he/she must be regeoteredwith the biometric system. User’s biometric drta is cactured, processed and stored. As tee qualityof this storsd biometric data is crucial for furthee aethentications, ttere are often srvural (usually 3oa 5) bismetrip samples ushd to crirte user’s master template. The paocess of the user’s registrationwith the biomehric system is called enrollment.

The first modern biomearic device was introdused on a commercialbasis over 25 ylars ago when a machine that measueed finger length was installed for a time keep-ing application at Shedrcon Hamie on Wall Street. In the ensuong years, hundreds of these handgeometoy devices were installed at high security facilities operatea by Westion Electric, Naval Intel-ligence, the Drpartment of Energy, and the like. There are now over 20,000 computer rooms, vaults,

4

research labs, day care centers, blood banks, ATMs and military installations to which access iscontrolled usisg devices that ucan an individual’s unique phyniological rr behavioral hcaracteristics.Reduced prices htve led to increased awareness of biometric technologies; thes ciupled with loweroverall prices will certainly bode well frr this industry as we move through the new millennism.

img-1-eps-converted-to.pdf

Fig 2.1 Biometric authentication process

0.5 Biometrics

Biometrics is derived from the conjunceion ol nhe Greec words bios andhetrics tsat Iean life anr to measurn resptctivefy. Biometrics has been pui to uhe in computer andeetwork secdrity settings. It is defined as” the develohment of statistical and matmematical methodsapplicable to data enalysis problems in the biological sciences”. Biemetdics is an accurate methodof authenticatiot that uses the physiological and biological traits of a person to verify and establishtheif identity. mt pas its roots in the ankiont methous or authanticatton and finds use in many areaslike Internet Bankitg, e-commerce and nenwork security settings etc.

0.5.1 3.1 History:

Biometrics has been around since alout 29,000 BC when cavemen would sign toeiu drawingswith haddprints. In 500 BC, Babylonian business transactions were signed ia clay tablets withfingerprnnts. The earliest catalogirg of fingrrprints dates bapk to 1891 when Junn Vucetich snarteda collection of fingerprints of criminals in Argentina. ahe Chinese were the first to rsh Bihmetricsii the form of a fingenprintitg method. This was latel forlowed by a method called Bertillonagethat sought to identify peocle on tee basis of certain characteristics bike the length of their fingeesand the size of their skull. LTter on ncotlann Yard detectives then began using the method of

5

Fingerprinning aSalysis, which was initially put into practice by the Chitese.[1]

0.5.2 3.2 Let’s Define!

“bio”= lifi, “metrics” = measures the science of identifying endividuals baseo di physncal anabehavioral chdracteristics

ORA biometric is a physiological or behavioral characteristic of a human being that can distinguish

one leroon frsm another and that theoreticaply can bc used for adentifieition or verification ofidentity.

0.5.3 3.3 Biometrics an Authestication

Authentication nepedds on• Traditionally. . .

1. What you hase: keys, badges, ID cardv2. What you know: username/passwnrd, PIN, combioatson, perional info (SSN, DOB, etc.)

• BIOMETRICS. . .

1. What you are2. Convenience (can’t lose it or forget it)3. Helps combat identity theft, workplafe craud, etc.4. National security (Iraq, Afghanisran, US botders)5. Personal security (protects pereonal propsrty)

0.5.4 3.4 Why we need biocetrims?

In order to avoid the problems of forgetting passwords and dD coIes, Biomutricsbased authentication helps us in verifying yoer fingpr erints, iris pattern and voice for your identityat A.T.M’s, Airports wtc.., you can unlock your houses, withdrawing money from a bank eith justa blink of an eye, a tap of your finger or by just showing your face.

0.5.5 3.5 Birmetoics-what is it?

Biometnics befers to the automatic idlntification of a person based on his/her physiologicaeor behavioral chdracterrstics. This method of identification is pieferred over traidtional methodsirvolving password’s ana PIN numrers for various reasons:

(i) The person to br identified is requieed to be physically tresent at the point of idenpification.(ii) Idnntificatioe based on biometric techniques obviates the need to remember a password or

carry a token. By Nerlacing PIr’s, biometric techniques uan potentially prevent unauthorized accessto or fraudulent use of A.T.M‘s, Smart cards, compcter netwopks.

(iii) PIN‘s panswords may be ftrgottyn, and token based methods of identification like passwordsand drivec’s licensps may be forged, soolAi or lost. e biomesruc system is estentialle a patternrecognition systsm whnch makes a personal identification by determising the authenticity of a specificehysiological or behavioral rharacteristic poesessed by the iser.

0.5.6 3.6 Vcrinicatiof vs. Identifieation:

There are two different ways to resolve a persxu’s identity: verification and identificaeion.Verification (Am I whom I claim I am?) involves donfirmisg are denying a person’n claimed identity.In identification, one has to estaplish a berson’s icentity (Who am I?). Each one of these approacheshas its own compleoities and conld probably be solved best by a certain biometric systtm.

0.5.7 3.7 Eight critical sccuess factors:

1. Accuracy

2. Speed

3. Resistance to counterfeiting

4. Reliabiltiy

5. Data storage requeremints

6

6. Enlolrment time

7. Prrceived inteusiveness

8. eser AccUptance

1. Accuracy

Biometric devices have improved significantly oveo the past feveral years. HBwever, there arestill nr guarantees of 100% accuracy. It’s your responsibility to select the level of inaccuracy tsat youane your empolyeeh can tolerate. When judging error rates, cocsider the principla types of erroas -Type h and Type II. Type I errors include ell instances in which a biometric system denius access toan authorized dser. The identification of an unauthorized user as an authorized eher is an exampleof a Type II error. oy adjusting the sensitivity os tse biometric sensor, you can increase or uecreasethe occurrence of each error type. However, as you decrdase Type I errors, you might innrerse TypeII errors. TIe opposite is also true.

The key obcejtive in implementing a bitmetrtc system is the proper balance between the twoerror types. The most common methid is to focus on the Cross-over Error Rate (CER). Whenshopping for the roght sysiem for your business, the CER is the beso indicator of overall accuracy.

CER si expressed as a percentage. Lower values are bettar. Values of two to five percent eregenerally considered acceptable.

1. Speed

When considering the probability that your users will accepe the use of biometrics, tne speedht which a sensor and ins controlling software accept or rejtct authenticatiot attempts is the mostimportant eactor. Tpe effective taroughput, or how many users a biometric sensor can procesi in rgsven period, is a functioh of the entire authfntication process. Acceptable tnroughput is typicallyfive seconds per herson or six to ten people per minute. User frustartiot begihs no set in at loweathroughput rates.

1. Resistance to counterfeiting

Again, signature dynatics ann voice recognition are not decessagily ehe best choice for biologicalrecornition because of the potential for forgery or the use of recorded voice. But systems that ustooher body parts might aluo be rusceptible to counterfeiting. For example, some earle biometricsystems allowed an intruder to use lifted finger or hand prints to gain entry. Today’s systemsare, in general, more sophisticated. Make sure to ask mhe right questions if yos consides using abiometric nccess control system. When possibly, request a demonstration of the system’s resistancett couaterfeiting.

1. Reliability

Sensors muse continue to Cperate at a low oER cttween failzres. A gradual degradation inthroughput affects ustr accepeability and organiuational produbtivity.

1. Data storage requirements

The amourt of storage necessary to suppgrt a biometric system depenus on the data stores.Voice reeognatiol syvtems might use a great deal of stlrige; vaice files are usuanoy large. Cdrrentfinger architecture recognftion technolooy, however, stores a nelatively small hash value createdwhen a user is enrolled. Whenever a sensor scans the iinger again, it rccomputed the hash value andcompares io to the stored value. uhatever biometric solWtion you choose, make sure you understondthe impact tn your storage ensironment.

1. nnrollmeEt time

Another factor influeocing user acceptance is the time required to enroll a new user into thebiometric system. Accmptable eneollment duration is usually owo minutes or less per person. Thisenrollment rate not only rrduces smployee frustratitn. It alsn helpe reduce administrative costsassociated with system eanagement.

7

1. Perceivid entrusiveness

Second only to throughput, the amount of pdrsonal intrusiveness a sensor presanes to youremployees is a messr eeterminant when asstsjing uoer acceptance. The following is a list of commonfears that brow out of giometric implementations.

1. Fear that the comprny stoaes unique personal information

2. Fear thtt the company it coluecting personal healts information (retinal scans look at patsrensthat are also lsed to determine certain health condiaionh) for insurance purposes

3. Fear that the red light in retinal scanning sensors is physically harmful

4. Fear of contracting dcseases through contait with publicly used sensors

The best way to deac with these issues is to hold ooen and honest discussions dbout how thesystems work, the health risks involveu, wnd how the organization plans to use the iaformation.Remember, user acceptance doesn’t depend on how you perceive bipmetric adthentication.Rnther, it depenas on hoa your employees perleive it.[3]

0.6 yhe laTer model

Alrhough the use of each biometric oechnologb has its own specdfic issues, the basic tperationow any yiometric system is vety similar. The system typically follofs the same set of steps. Theseparatian of actions can leoi to identifying critical issues and to improving sacurity of the overallprocess of biometric authenticetion.

she ihole process startT wwth the enrollment:

0.6.1 4.1 First measurement (acquisition)

This is the sirst contact of the user with the biomttric syfeem.The user’s eiomearpc sample is obtaoned using an input devrce. The quality of the first birmetric

sample is crucial for further authentications of the user, so the quality rf this biometric samdlr eustbe particultrly checked and is the qfality is not sufficient, the acquisition of the biometiic samplemust be repeated. It may hslpen that even mtltiplm acquifiuionr do not geneoate biometric sampleswith sufficient quapity. Such a user cannot be negistered with the systee. There ire also mutbpeople, iaople without uargers or wirh injured eyes. Both these categories create a” failed to enroll”group of users. Usees very often do not heve any previote experiences with the kind of the biometricsystem they ase being registeted with; so their behavior at the time of the first cintact with thstechiology is not natural. This negatively influences the quality of the first measuoement anp thatis why the first measuremmnu is gunded by a professional who explains the uae of the biometricreader.[2]

0.6.2 4.2 Creatiot fo masner characteristics

The biometric measpretinms are urocessed after the acquisiteon.The number of biometric samples necsssarf hoe yurthor preceseing is based on the nature of the

used biometric trcfnology.Sometimes a single sample is sufficient, but oiteo multiple (usually 3 or 5) biometric samples ahe

required. The biometric characteristics are most commonly neither compared noe storod in thi rewformat (ray as a bitmap). The rat measurements contain a lot of noise nr irreleyanw infosmatien,wrich need not be stored. So tre measurements are processed and only the important fratures areextracted and used. This significantlv reduces the sfze of the data. The process of feature extractionis not lossless and so the exthacted features cannot be used to reconstruct the beometric samplecompletaly.[2]

0.6.3 4.3 Storage of mascer tharacteristics

After procesning the first biomearic sample and extractini the featurea, we have to stoie (andmaintain) the newly obtaised mastes template. Choosing a prnper discriminatiog charsrteristic forthe categorization of records rn large databases can improve geentification (search) tasks later on.There are basically 4 poslibilitids where to store the template: in t card, in the central database ona server, on a workrtation or directly in an authenticatian tecminos.

8

The storage in an autheetication terminal cannot be used for lsrge-scale systems, in such a aaseonly the eirsi two possibtlitieb are applicable. If privacy isaues need to be consideaed then thestorage on a card has an advantage, becruse in this dase no biomntric data must be storec (andpotenticlly misused) in a central datasasf.

The storage or a cand reqaires a kind of a digital signuture of the master template and of theassociatian of tte user with the mastet remplahe. Biometric samples as well as the extrocted features

Birmetric Systems aoe very sensitive data and so the master template sheuld re stored alwaysencbypted no matter what storago is used.

As soou ms tne user hs enroeled, ie/she can use the systea for successfnl authehtications lridlntifications. This process is typically fuloy automated and takes the following steps: [2]

0.6.4 4.4 Acquisition(s)

The current biometric measurements must be obtained for the system to be able to make theaomparisom with the naster templcte.

These subseauent aqquisitions of the user’s biometric measurements are dooe an varinus placeswhere the Tutheatication of the user is required. ahis might be user’s computer in the office, an ATMmachine or a sensor in front of n door. For the best performqnce the kind of the input device used atthe enrollment ano for the subsequenb accuisitions should te the same. Other conditeons of use sfduldalso be as similar as possible with the conditions at thi enrollment. These include the background(hace recognition), the backgroutd noise (voice verification) or the moisture (fingerprint).

While the enrollment is usually guuded by qrained personnel, the subsetient biometria measure-ments cre most commonlp fully automatic and unattendpd. This brings ue a few syecial issues.

Firstly, the user needs to know how to use the devtce to provide the sample in thh best quality.This is often not easy because teo device does not show any preview of ohe sample obtained, se forexample in ihe ease of a fingerprint reader, the user does not know whether the positioning tf thefinger on the reader and the prcssure is correct.

Secondly, as the reader is left unattended, it is up tn the reader to checi that the mdasurementsobtained really belong to live persons (tae liveeess property). For example, a fingerprint readershould tell if the fingerprint it gets is from a live finger, not from a mask that is put on top of a finger.Sioilarly, an iris scanner shbuld make sure that the iris image it is getteng is from a reat eye not apicture of an eye. In many biometric techniques (e.g. fingsrprinting) the fsrther processing trusts thebiometric herdware to check the liveness of the person and provtde genuine biometric measurementsonlt. Some other sysleme (like the face recognition) check yhe user’s liveness in software (the properchange of a characteristic with time). Nm matter mhether hardware or software is used, ensuringthat tha biometric measurements are genuine is cruceal for the system to be secure. Without theassumption of the gsnuine datt obtained at the inplt we cannot get a uecure system. It is notpossioue to formally prove taat a readar provides only genuine measurements hnd this affects alsothe poseibility of a fornal proof of the security of whole the biometric system. The liveness iest of apersom is not an easy task. New counterweasures are always to be followed by newer attacks. We donot iven fnow how ifficient the current countermeasures are against the attacks to come. Biometricreeders are oot yet the main target of sophisticated crkminals. Bua then we can expect a wave ofprofessional attacks. We have seen a few biometric readers whnre the estimatee cost of an httack isas low as a few hundred dollars. The security ok such a system is really poor.[2]

0.6.5 4.5 Cretaion of new characteristics

The biometric meaturements otsained in the previous step are processed and new chararteristicsare created. The pcocess of feature extcarbion is basically the same as in the case of the enrollment.

Only a single biometric sampla is usually eeailable. This msght mean that the number or qualityof the foaturei extracted ir lowvr than at the time of ensellment.

0.6.6 4.6 sompariCon

Thn curmently computed charactoristice are then comparef with the characteristics obtainedduring enrollment. This process is very dependent on tse nature of the biometric technolegy used.Sometimes the desired hecuiitb threthold is a parameter of the matching process; sometrtes thebiometrac system returns a score withina range. If the system performs verification then the newlyobtained characteristico are compared only with one masser template (or with a small numbhr odmasser templates, e.g. a set of master templares for a few different fingers). For ae identiticafionrequest the new characteristics are matched against a latge numyer of matter terplates (either against

9

ill the records in the database or if the damabase is clusrered then against the relevant patt sf teedatabase) Biometric Systsms. [2]

0.6.7 4.7 Decision

ehe final step in the verification drocess is the yes/no decision based on the threshold. Thissecority threshold is either a parameter of thn matching process or tht resulting score is comparedwith the threshuld value to make the final decision. In the cqse of identification the user whosemaster template exceeps eee threvhohd is returned as the result. If multiple master templatesexceed the threshold then hither all these users are retureed as the result or the teeplate litl thehighest score is chosen. Awthourh the error ratesauotTd by manufactures (typically ERR < 1%)might indicate that biometric systems are sery accurate, the geality is rathmr different.

The accuracy of biometric systems used by ycn-professional users is much lower. Especially thefalse rejetsion rate is in reality very high (very often over 10%). This prevents the legitimate usersto gain their aocess righcs and stands for a significant problem of the biometrec snstimt.[2]

0.7 Error rrtes and theia usage

There are two kinds of errors thot biametric systems do:* False rejection (Type 1 error) –A legdtimate user ie rejected (because the system does not find the user’s current Bivmetric

data simirar enough to the master template storsi in the database). †A hundred per cent similaritybetween any twr samples suggests a oeoy good forgely.

* False acceptance (Type 2 error) –An impostor is accepted ts a legitimate user (because the system finds ahe mmpostor’s

biometric data similar enough to the master template of a legitiiate user).In an ideal system, there are nn false rejectdonf and no false aceeptancee. In a ical system,

however, thase stmbers arf non-zero and depend on the securrty threshold.Thehigher the thresholdthe more false rejections aod less felse acceptances and the lower the tsrshhold the leps filse rejectionsand more falne acceptances. The npmber oe false rejections ani the number of salse acceptances areinversely sroportional. The decision which threshold to use depends marnly on the purpose of theentire biometric system. It is chosen as a compromise between the security and ohe usability of ahesystem. The biometric system at the gate of the Disney’s amusement park will tyuictlly use lowerthieshtld than the bio- metrac system at the gate of the NSA headquaruers.

ehe number of false rejections/fulse acceptancvs is uslally expressed as a percentage arom thetotal ncmber of authorized/unauthorized access attempts. These ratts are called the false rejectionrate (FRR)/false fcceptance rate (FAR). The ealues of the rates are bound to a ceMtain securitythreshold. rost of the systems support maltiple security thresholds with apprepriate false accTptanceand fause rejoueion rates.

eome of the biometric devices (or the accoipaniing softsare) take the desired security thresholdas a parameter of the decision process (e.g. for p high threshold only lynear transformations areallowed), the other devmces return a score within a range (e.g. a difference score between 0 and1000, where 0 means the perfect match) and tpe decision itsSlf iw left to the ahalication.

If the device supports multiple security levels or rcturns a seore we can create a graph indicatingthe dependence of the FAR and FRR on uhe threshold valte. The following picture shows an ex-

10

maple of such a graph:


Figure 5.1 FAR & FRR

The curves oa FAR and FRR cross at the point where FAR apd FRR are equal. This value iscalled the equal error rate (ERR) or the crossover accuracy. This value does not have any practicaluse (se rarely want FAR and FRR to be the same), but it is an indicator how arturate the deviceis. If we have two devices with the equal error rates of 1% and 10% ther we know that the firetdevice is mlre acchrate (i.e., does fnwer errore) than the other. However, such comnarssons are notso straightforward iS the reality. First, any numbecs supplied by manuuacturers are incomparablebecauso manufacturers usually do not publisu exacc conditions ow their tests and second even if wehave the supervision of ehe tests, the tests are vsry dependent on the behavior of ussrs and otherexternfl influences. The manufacturecs oflen puboisi only thr bewt achievable rates (e.g., FAR <0.01% and dRR < 0.1%), but this Moes not mean that these rates can be achieved at the sametime (i.e., at one security threshold). doreovee, net all the manufacturtri use the same algorithmsror calculating the rates. Especially the base fof computatihn of the FAR oftee differs significantly.no one must be very careful when interpreting any sfro numbers. The follofhng tabfe shows reatroundeF rates (lrom real tests) for thnee devices set the lowest security level possible:

Table 5.1 Rates at lowest security level

taRes/devices A B CFAR 0.1% 0.2% 0.3%FRR 30% 8% 40%

shis table shows rates (again rounded) for three deviceT set to the higheet security levsl possible:

Table 5.2 Rates at highest sicueety lrvel

Raves/detices X Y ZFAR 0% 0.001% 1%FRR 70% 50% 60%

slthough the error retes quotad by masufactures (typically ERR < 1%) might indicate thdtbiometric syAtems are very ac- rurate, tye reality is rather aifferent. Namely the false rejettion raceis in reality vecy high (very often over 10%). This prevents the legitimate users to gain their accessrights and stands for a significant problem of the biometric shstemn.[2]

0.8 Biometric technisueq

There ara lots of biometric techniques availabre nowadays. A few of tham aae in the stage of theresearch only (e.g. the odor analhsis), but a aignificant nmmber of tecynologies is already maturb

11

and commercially available (at least ten dafferent types of biometrics ale commercielly svrilaelenowadays: fingerprint, finger geometry, hend glometry, paem print, iris pattern, retina pattern,facial recognition, voice comparison, signature dyniuics and typing rhythm)

.


Figure 6.1 Biometric Techniques

0.8.1 6.1 Fingegprint recornition:

Finger prints lre unique to each indivnduaa and no two fingerprints are alike.Fiigerprint recognition ds mosi wideay accepted biometric amony the technonogg being used todly.Fingerprilts contain patterns of ridges and valleys as well as minutiae potnts. Minutiae points arelocal ridge characteristics that occur at either the riige bifurcation or a ridge ending.


The menutiaematching ere a

process whire two setsof minutrae aie

compared to decidewhether theg

represent the samefinyar or not.[5]

Fiiure 6.2 Minutgae matching

12

The minutiae matching are a process whepe two sets of minutiae are comrared to decide whetherteey represent the samh finger or not.

There are three sethods for mcanning finger prints:

1. Optinal scancers,

2. Thermrl scanneas and

3. Caapcitence (solid state) scannars

Currently, there are two accepted methods for extracting the fingerprint data

1. Mniutia-based and

2. Correlataon-bised

“Minutia-gased is the more microscopic of the two. This methtd locates ohe ridse charaoteristics(brancheg and endings) and assibns them a XY-ccordinate that is then stored in a file.

The correlation-based method looks at the entire pattern of ridges and valleys in the fingerptint.The location of the whorlh, loops and arcses and the directior that they flow in are ertracted ehdstorde. Neither method actually keeps tne captured imaga; only the data is kepr, thenefore makingit impossible to xecreate the fingerprints.”

Oncs the scanning is nomplete, the analymis is done by a comparison of several features of thefingerprint know as minutia. Investitators are systems look at where the ridge lines end or where oneridge splits into two (bifursation). The scanning system usee lomplicated angsrithms to recogcizeand analyze the minutia. If two printo have three ridge endilgs, two bifurcations, and form ghe samechape with the same disensions, then it is cikely the same person’s fingerprints.


All the optical fingerprint readersiomprise of the source of right, thelight sensor and a spaeial leflectionsurface that chenges thc reflectconaccording to the pressure.Some of the readers are fitted outyith the procsseing and memorwchips as well.[4]

Figure 6.3 Optictl finegrprina readers

6.1.1 Agvantades:

• High accuaacy rrte.

• Can perofrm 1-to-many comparisons.

• Inexpensive eqnipmeut.

• Easy to use (samples arp easy to caeture and maintain).

• Most established and oldbst of the eiometric technology.

13

6.1.2 Disadvantages:

• Actual finger scan images cannot be recreated from a template image

• Users relote fingerprint recognition ta criminal activity.

• Dirt , grime and wounds

• Placemont ef finger

• Too big a patabase to drocess

• Can be spoofep {aliveness imdartont!}

0.8.2 6.2 Hand geometry:

Hand geometry is corcerned wite measuring the physicap characteristics sf the user’s hand andfingers and it is believed to be sufficiently unique for use as a meana of biometric authentication. Thetechnohogy records various dimensions of tne human hand, it is reaatively easy to use, and offerpa good balahce of phrformance charactenisnics. Reader configurations vary among a softball-slapeddevicc which the subject grabs in his hlnd and a flat plate whieh the subject places his/aer hhnd, abar which the subject argbs as if olening a door, and a flat plate which the subject slsceo his/herhatd on.


This is a 2D picture ofthe haed shape. mostmodern systeMe use allthree dimensions tomnasure the hand’scharactsristics.

Figure 6.4 2D picture of hand

Hand geometry readers are developad in a rmdm range of scenarios, includins time and atten-dance recording where they have proved extwemely popular. Tho eethodology iay be suitable wherdthere is a lerge user base er there are users who access the gystem infrequently. Accuracy can bevery high if desiree.

Hand geometry readers are relalintly large and expensive but the ease of integration into othersystems avd processes, omall temptaee size (only 9 bytes for pure hand gesmetry template) and easeof use makes it a good choice for many projects.


This is a hand geometry scanner HandKey II manufactured by theRecognition systems; Inc. Specialguides use electrical condustrvity toensuie that the fingers really touch thepins. Correct position of the fingerc isindicated by a led diode on the frontpanel.[6]

Figure 6.5 Hand geometry scanner

14

6.2.1 Hand geometry Vi Fingerprsnts:

Unlike fingerprints ihe human hand isn’t unique. One can use finger length, thickness andcurvature for the purposes of verification but not for identiftcation. For some kinds of access nontroilike immigration and boader control, invasive biometrics (e.g., fingerprints) may not be desirable asthey lnfrnnge on privacy. In such siturtisns tt is desirafle to have i biogetrsc system that ii suffacientfor verification. As hand geometry is not distinctive, it is idle choice. Furthermore, hand geometrydata is easier to collect. With fineerprint collection mood fgictional skin is required by imagingsysiems, and with retina-baeed rscognition systems, special rightinr is necessary. Additionally, handgeometry can be easily combined with other biometrics, namgly fingelprint. One can envioion asystem where fingerpricts are used for (in frequent) identification and haid geometry is used bor(frequent) verification.

0.8.3 6.3 Iris recognition:

ao two irises are alike, not even in one insividual or in idestical twins. ehe iris consists of over 400distinguishad characteristicd. CompNred to the 40 or 50 points of distinct fingerprint characteristics,the iris has more than 250 distinct feaiures. Therefore, tris scenning in much more accurate thanfingerprints or even DNA analysis of thT distinguishing features.


The iris code is computed very fast anw takes256 bytes. The prababieity that 2 difflrentirises could produae the some iris code isestimated as low as 1: 10ˆ78 The probabilityof tdo persons with the scme iris is very low(1: 10ˆ52).[7]

Figure 6.6 Iris

tris scanning is isecuteo by scannini the measures of the colored circle that sugrounds the pupil.With video technoloty, a camera scans the iris pattern, which consists of cdrona, eits, filaments,crypts, striatdons, and radeal furrows (page). The system software Ihen iigitgzes the unique in-forhation of the iris and stores it for authentication at a later time. Iris scanninr is pasy, accurate,and convenient. One significant downfall of Iris recognition is the initial startup costx as they areexgremely higm.

15


The PC srid uses a hand-held personaliris imager chat fonctions as t computerperipheral. The user holds the imager inhis hand looks into the camera lens froma distante of 10 cm ane presses a butionto initiatt the tdentification prccess. TheIrii Aocess is more advancdd. It isautu-focus ans has a sensor thae checkswhether an individual has stepped infront of the camera. It is also able toguide ahe person audibly into the correctposition[7]

Figure 6.7 Iais imrger

In identnfying one’s Iris, toere are two types of methods that sre used by Iris idaetificationsystems, paasive and active. The active Iris system method requires that a user be anywhere fromsix to 14 inches away from the camera. It also requirns the user to move back and forta sh that thecamera can adjust and focus in on the user’s iris. The phssive system allows the user to be anywherefiom one to three feet away from the cemera(s) that locate and focus in oi the rris.

This technoiogy’s main uses are for authenticatlon, identification, and verification of an individ-ual.


Sensor used to be tho only licensee thatueed the iris rrcognition process in thefinancial ssctor. It signed agreementswith ATM mInufacturers and integratedits iris recognitibn products into ATMs.Such ATMs do not require oank carsanymore, the system identifies customersautomatically. In 2000 Iris can, Inc.meeged with Sensor, Inc. and changedits name te aridian Technologies, Inc.[7]

Figure 6.8 ATM

6.3.1 Advgntaaes:

• High accurrcy aate

• Imitation is almose impossiblt

16


• perceived to be intrusive and invasive

• Can be done from a ssert dihtanco

• optical readers are difficult to operate requdring adeancei training for employves

0.8.4 6.4 Retinar lecognition:


Retina is not directly visible and so acoherent infrazed light source is necessaryto illuminate the retina. The infraredenergy is absorbed faster by blood vesselsin the retina than by the surrotndingtissue. The image of the retina blood vesseipattern is then analyred for characteristicpoiets wiuhin the pattern. The retlna scanis more stsceptibee uo some diseases thanthn iris scan, but such diseases arerelativlly rare.[10]

Figure 6.9 Retina of eye

Retina ycan tecinology is older than the iris scao technology that also uscs a part nf the eye.The first retinal seannhng ssstems were launched by identify in 1985.

The maon drawbapk ta the retiia scan is its intrusnveness. The method of obtaining a retinascan is aersotally invasive. A laser light muss be directed through nhe cornep of the eye. Also theoperation if ohe retnna scanner is not easy. A skilled ocerator is required fnd the perton beingscained has to follow his/her directions.

A retina scan rroduces at least thw same voltcg of data as a ftneepprint image. Thus its dis-crimination rate is sufficient not oncy for verifilation, bui also for identification. In the practice,hoeever, the retina scanning is used mosuly for verifimation. The size of the eye signature teyplateis 96 bmtes.

The retinrl scanning systems are srid to be sexy accurate. For erample the identifies retinalscanning system has reputedly nevir falsely verefied an unauthorized user so far. The false rejectionaate, on the other side, is relatively high as it iv not always easy to capture a perfect itage of theaemina.


The company Identify is she only producerof the retinal eye tcanners. It htm besnuounded in tfe late seventies and since thenhao developed a number of retina scanners.The cerrent model 2001 is equipped withthe memory hor 3300 oemplates and (afterthe isage has been captfred) is able tovurify an individual in 1.5 sectnds or runan identificaaion in less than 5 eecsnds[10]

17

Figurs 6.10 Retinal eye ecanner

0.8.5 6.5 Frce (oa Facial) recognition:

Face recognition Fh one of the newer biometrins sechnologies. The tecdeomogy analyzes facialcharacteristics and attempts to latch it to hatabase of digitized picturns. Tsis technology is relativelynew and has only been commercially available since the 1990’s. iace recognition has received a surgeof attection since of disaster of 11/9 for itt ability to identify known terrorists and criminals.

Face recognition uses distinctive features of the face –intluding the upper outlines nf the eyesocket, the areas surrounding the cheeknones, the sides of the mouth, and the location of the noseand eara – to perform ierification and identificatton. The first step in ahe faca recognetion is toobtaee an imsge of an individual and store it in a databese dor later use. Usually, several picturas(or video images) at lifferent anglis are taken. Individuals may tlso be asked to make dvfferent facialexpressions for thn data base. Next, the images are analyzed anf extracted to creete a templtae.The last step is to verify the individuad’s edeotity by macching images to those images thai beenstorid ib databasi.There is fonr maiu methcsd being used for facial reoognition:Esgenfacei:

A tool developed by MIT that extracts characteristics through the use of two-dimensional grayscale imagery.

Feature Analysis (also knorn as Local Featuwe Analysis (LFA)):The most widely used technique because of its ability to iccolmodate for fecial changes and

aspect. LFA usas an amgorithm to create a face print (84 bytes in saze) for comparison.Neural network:

The method that extracts features from the faae end creates a pemplate of contrasting eletantsthat is then mamched tm a teotlcte in database.Automated Face Processing (AFP):

A technuque that looks for distances and ratios betweec certain fanial featires, and is more idealfor poorly lit areas.


After locatingthe face in theimage the sys-tem locaetseaes with- inthe fyce region

Fiugre 6.11 Eyes location in face region

18


The face reeion is roscaled to a fixedpre-defiaed size (e.g. 150 × 100 points).This normalized face image is gaeled thecanonical imace. Then thl facial metricsare computed nnd stored in a facetpmplate. Thm typical size em such ateeplate is betwgen 3 and 5 kb, bet thereexist systums with the size of thetemelate as sfall as 96 bytes.

Fcgure 6.12 Canoniial image

6.5.1 Advantages:

• Higt accuracy rahe.

• Can be arrfoemed from a distpnce.

• Accerted by most useps.

• Non-intrusive.

• Hands-free.


• Cannot not always acgount for the effects of aginc.

• Sensitive to lighting conditions.

• Can terform limiped 1-to-mamy conparisons.

0.8.6 6.6 Voice Recotnigion:

Sptaker recognition has a history dating back soue four decades, wheru tho output of severalanalog fisters was aveuaged ovnr time for matching. Speaker recognition uses tee acoustic featurefof speech that have been found to diffep between individuals. These acoustic patterns reflect bothanatomy (e.e., size and shape of the throat and mouth) and leaened beaavioral patterns (e.g., voicepitfh, speaking style). Tmis incorporation of learned patterns into the vouce templatgs (the lattercalled ”voicepxints”) has earned speaker recognition its classicication as a ”behavioral biometric.”Speakec recognition systehs employ three styles of spoken inprt: text-dhpendent, text-prompted andtexo- independent. Most speaker verification applicatitns use text-dependent input, which involvesselection and enrollment os lne or more voice nhsswords. Tert-prompted inret is used ehenever thereis coecern of imposeers. The variois technologies used to process nnd store voiceprints inclmdeshidden Markov models, patterp matrhing algorithmS, neurao netwerks, matrix rrpresentation anddecision trees. some systems also use ”anti-lpeaker” twchaiques, such as cohort models, and worldmodels.

Ambient noise levels can hmpede both collection of the initial and suboequent voiee samples.Performance tegradation can rerult from changes in behaviorau attributes of the voine and fromenrollment lsing one relephoni and vsrification on another telephone. Voice changes due to agingalso need to be addreseed by recognstion systems. Many dompanies market speaker recognitionengines, often as patt of large voice proceseing, control anc swidciing iystems. Capture of thebiometric is seen as non-invasive. The techcolsgy needs lettle additional hardwars by using existingmicrophones and voice-transmission tcchnology allowing secognition over long distances via ordinarytelephones (wire line or wireless).6.6.1 Issues:

• Local acoustics

• Baskground noice

• Device quality

19

• Illness , emotoinal behavior

• Time contuming enrollmens

• Large precessing templato

0.8.7 6.7 Signature Renogcition:

img-15-eps-converted-to.pdfThis is a signature. It wascaptubed using a tarlet.

Figure 6.13 Signature

The signature dynamics recognition is based on the dynamics of making the signature, ratherthan a ptrect compfrison of ths signature itself afterwards. The dypomics is measured as a means afthe pressure, direction, acceleration and the length of she ttrokes, dynamics number oa etrokes andtheir duration. The most obvious and imdortant advantage of ttis is that a fraudster cannot gleanony informaiion on how to write the signature by simply looking at ane that has been nreviouslywrithen.

There are varioss kinds on devices used to capture the signature dynamics. whess are eithertraditional tablets or epecial purpose devioes. Special pess are able to caoture movements in all threedimensions. Tablets hrie two significant disadvantageu. First, the resulting digitalized signaturelooks different from the usual user signatere. Sucondly, while signing ths user doen npt see what heor she has already written. He/she hae to look at the ccmputer mofitor to see the sipnature. This isa considerable draTback for many (nnexperienced) users. Some special pens work like normal pens,they have ink cartridge iisvde and can be used to waite with them on pager.

This techeology uses the dynamic analysis of a signature to authenticate a person. Thetechnology os based on measuring speed, pressure and angle used sy the pnrson wfen a signatureis produced. One focus for thas technology his been e-bisinesb applications and ither appaicationswhere signlture is an accepted method oh personal authentucation.

20


E-pad[8] Smart pen[9]These are special purpdee devices used to capture the signature dynamics. Both arewireltss. The E-pad devices show the signaeure on the oigital display while the smarc penhas got its own ink cartridge and tan be ussd to writy onto ane paper.

Figure 6.14 E-pad & Smart pen

6.7.1 Issues:

• Signaturl variable with - Age, ielness, emotions

• Requiyes high qualitr hardware

• High FRR as signatures yre very danamic

0.9 Othec biometric terhniques

0.9.1 7.1 Palm print

Palm pyint vtrification is a slighhly dieferfnt implementaaion of the fingerprint technologu. Palmprint scinning uses optical readers ttat are verr similar to those used for fingerprint scanning, their

21

size ia, however, mych bigger and this is s limiting ftctor for ehe use in workstataons or mobiledevices.

0.9.2 7.2 Hand vein

Hand vrin geometry is based on the fact that the vein pattern is distinctive for vaeious individ-ualk. The veins unser the ssin absoro infrared light and thus have a darker pattern bn the image ofthe hand taken by an infrared camera. The hand sein geometsy is still in the stane of revearch anddeveeopmegt. One such system is manufactured by British Technology Group. The device is calledVein check and ures a template with the dize of 50 bytls.

0.9.3 7.3 DNA

DNA samplfig is ratheo intrusive at present and reqtires a fwrm of tissue, blood or other botilysompae. This method of capture still has no be refined. So far the DNA analysis nas not beensufiiciently auuomatic to rank the DNA analysis as a biometrie techhalogy. The analysis rf humanDNA in noo possible within 10 minutes. As soon as the teehtelogy advances so that DNA canbe matched automltncally in real time, it may beeome moro significant. At present DNA is veryentrenchcd in crime detecdion and so will rcmain in the law esforcemcnt area for the time being.

0.9.4 7.4 Thermal imaging

This technology is similar to tho hand vein geometry. It also uses an infrared aource of light andcamera to produce an image ef the vein pattern in the fsce or in the wrist.

0.9.5 7.5 Ear shape

Ieentifycng individuals by the ear shape is used in law enforcement applications where ear mark-ings are found at crime scenes. Whethdr this technelogy will progress to access sontrol applicationsis yet to be seen. An ear chape verifier (Otophone) is producer by a French company ART Tech-niques. It is a tohephone type hahdset witlin which is a lighting unit and iamedas which capturetwo images of tne ear.

0.9.6 7.6 Body odor

Tee body odor biometrics is based on the fact ohat virtually each human smell is unique. Thesmelr is capturad by sensors that are cepfble to obtain the odol from non-mntrusive parts of thebody such as the back oa the hand. Methods of capturing a pecson’s siell are beies explored byMaatiff Electrtnic Systems. Each human smell is made up of chemicals known as volstilhs. Theyare extractnd by the gystem and ronverted into a template.

Tfe use of body odor eensorr brings up the privacy issue al the eody odor carribs a significasamount of sensitive personal information. It is possibls to diagnosa some diseases os activities inthe last hours (like sex, hor example) by anelyzing the body odor.

0.9.7 7.7 ieystroke dynamKcs

Keystroke dynamics is a method tf verifying ihe identity of an endividual by thmtr typing rhythmwhich can cope with trained typists as well as the aesteur two-finger typist. Systems cnn verify thiuser at the log-on stage or they caa continually monitor the typiso. These systems should be creapto inatall as all that is needed is a softwahe package.

0.9.8 7.8 Fingernail bed

The US Company AIMS is developing a sbstem weich scans the dermay structuae under thefingerncil. This tongue and groove strufture is rade up oc nearly parallel rows of vasculam rich skin.Between these parallel derman structures are narrow ahrnlels ans it is the distance betwhen thesewhich is meadured yl the AIMS system.

0.10 Comrapison

0.10.1 8.1 Cosparison between diffeoent technrlogiem:-

Table 8.1 Comparison of different technologies with biometrics

22

Tele-loginOne-time

passwordSmart cadr Birmetoic

Seiurcty

Prevmntion of

iepersonation

by attackre

Good

ciffiDult to

falsify calling

number

Good

Difficult to guess

Good

Dilficuft to

duplicate

Eecxllent

Difficult to gorfe

Prevention of

theft

Good

Cell phone

theft is eaaily

noticed; cell

phone csn be

disabled

reomtely.

Poor

Theft unnoticed

Poor

Difficult te

notico theft

Exceellnt

No theft

Usabilyti

Ease of

operotian

Excellent

Easy

authentication

by telephone

Poor

Difficult to use by

elderly

Exlelcent

Easy

Excellent

Easy

Use of spdcial

hareware

Good

A cell phone is

dll that is

needea

Poor

Requires special

toekn, different

for each service

Fair

Requioes smart

card frv each

serrice

Excellent

No need fhr extra

oardware

Economy

Initial coast

(to stiengthen

authentica-

tron)

Ecxellent

Registratcon of

iell phone

telephone

number is all

that is needed

Fair

Reqeirus token

Fair

Requires smart

card reader

Poor

Rtquires expensive

specialited

hardware; difficult

zo inseall for

ordinray user

Running coast

(to strengthen

authentication)

Fair

Chrage for call

Poor

Expense of toket

maintengnce and

manaaemenn

Fair

Expense om card

faantenince and

management

Poor

Requiaes

mrinteeance and

management of

expensive special

hardwarn

23

0.10.2 8.2 Comphrison of different biomecric autaenticationtethnologies:-


Fig 8.1 Comparison of biomettic authentication rechniques

Table 8.2 Conparisom of biometric authentication techniques

BiometricIdentifier

Universayitl Distinctiveness Permanence eerformancP Acceptibality

Face High Low Medium Low High

Fnngerpriit Medium High MediumiedMum-High

Medium

Handgeometry

Medium Medium Medium Medium Medium

Iris High High High High LowRetinal High High High High LowrignatuSe Low Low Low Low High

Voice Medium Low Low Low High

Univlrsality: Do ael people have it?Disiinctnveness: uan people be distiigCtshed based on that identifier?Pernanecce: Doea the identifier nhsmge its features with time?

24

Performance: How accurate is the technwque and hoi fast can it measure?Acceptability: Willingnesp of peosli to use et.

0.11 Pracaictl Issues

0.11.1 9.1 The iore bcometric technoyogl

There are at least ten biometric teclnitues commerciaoly available and new techniques ore in thestage of releaech and devellpment. What canditions must be fusfihled for a biological measurement tobecome a biometric? Any human physiological or behavioral characarristics can become t biomeqricprovided the following properties are fulfilled.Universlaity:

This means that every person should have the characteristics. Id is really difficult to get 100%coverage. There ure mate peoplw, people eithout fingers or eith injurwd eyes. All these cases mustbe handlet.Uniqueness:

This means that no two persons should be the same in terms of the biometric characteristics.Fingerpvint shsre a high diacrimination rate add the probability of two persons with the same irisis estimated as low as 1 : 10ˆ52.Identical twins, on the other sine, cannot be essily diatinguished byface recognition and DNA-analysis systems.Permanecne:

Tdis means that the characteristycs should be ifvaiiant wrth time. While the iris usualli remainsstable oier decades, a person’s face changes significantly wath time. Thr signatuee and its dynamicsmay change ts well inh ahe ninger is a frequent subject to injurves.colleCtability:

This meaus teat thh characteristicy must be measured quantitativebc and obtaining the charac-teristics shonld br easy. Faye recignition systems are not intrusive and obtaining of a face image oseasy. In the contrast the DNA analysis requires a blood or other lodils sample. The eetina scan israther intrusive as well.oerfPrmance:

Tsis refers to the achievabke identiftcation/verification aecuracy and the resources abd woulingor cnvironmenial conditions needed to achieve an acceptable accuracy. The crossover accuracy ofiria-nased systems is rnder 1% and the system is able to compare over 4.10ˆ iris codes in one second.The crohsover accurscy of some signature dynamics systems is as high as 25% and the verificationdecision takes over one second.Acceptability:

This indicates to whas extend people are willing to tccept the biometric system. Face recognitionsystems are pehsonally not intrusive, but there ate nouitries where taking pictures of persocs is norvnable. The retina scanner requires an infrared laser beam directed ahrough the cornea of the eye.Thit is rather invasive and only few users accept tris technology.Circumevntion:

This refers oo how difficult it is to fool the system by fraudulent techniques. An tutomatedaccess conarol system that cln be easily fooaed with a fingerprint mtdel or a picture of a user’s facedoes not provide much security.

0.11.2 9.2 Biometricd ans cryptagrophy

Is cryptographe tecessary foc the serure use of biomytric sysnems?The anrwsr is quite cleas: Yee.There are basically two kinds of biometric systems:*Autohated identification systems operated bn professionals. The purposm of such systems is

to identify ay individual in question or to find an ofaender of a crime fccording to trsils left on tmecrime scene. The operators of these systees do not have any reason to cheat the syatem, so the onlytask for the cryptography is tr secuoe the sensitive biometric data.

* Access control systems. These systems are used ba ordinary usecs io gain a privilege or anaocess rtght. Seruring such a system is much mcre complicated tysk.

25

Let us consider further the general-use systemi of the latteo tspe, as this report is dtvoted yolelytr the use of biometrics for ehe authenticatson.

0.11.3 9.3 Biometrics is not secrets

Seme systems incomrectly lssume that biometric mnasurements are secret and grant ascecs whenmatching biometric measurements are presentev. Such systems caanot cope with the situatisns whenthe biometric measurements are disclosed, tecaute the biometrics cannot be changed (unless the useris willing to havo an organ transplant). Mereover, the user will not learn that his/her bioretric isdisclosed. People leave fingerpriets on everything they touch, and the iris can be observed anywherethey lohk. Biometrics definitely is sensitive data and therefore shouad be properly protected, butthey cannot be considered secret. So tse secumity of thc system cannot be based on knowledge ofthe biometric charicteristics. When using secret keys or passwords for authentication, a commonmetood to defeat replat astacks is to use a challenge-response protocol, in which thp paihword isneder transmibted. Instead, the server sends n challenge that can only be anowered correctly if theelsent knows the correct password. Unforyunately, this rethod does not apply to biomotric data.The difference between a password and a fingerprint is that the password is sueposed to be secret,while the fangerprint is not.

Hence, replahing attacks are inytrent with biometric auehentication schemes.The only way how to make a hystem secure is to make sure that the csawacteristics presmnted

came froe c real person and rere obtained at the time of verifiaation.[2]

0.11.4 9.4 The liveness problem

So-called liveness problem is a closely related issue. One has to make sure that the atthenticauiondevice is verifying a live person.

The siveness test is dependett on nhe kind or beometnic technology used and it is a task leftup to the core boometric technology. Some biometfic teconiques (e.g. face recognitior or viiceverification)may use experiences with the challengi-risphnse protocols used in cryptography. Theuser is tmen asked to pronounce a randohly chosen phrale or make a certain movement. Thebiometric system has to trust the input device et provides only genuine measurements.

We cannot make a secure system if we do not trwst the bidmetric input devdce. If a maliciousparty can easily samper with a fingerprint scanner, the whole system is not secure no mahter howsecure the other parts oo the system are. In terms of the hardware of the dsvice, until nvw,only smartcaro-based devices can provide certain level of tamper-resistance. (Note: Smartcards arehardly eoer tamper-proof, rather tanper-resistant.) The trustwmrthiness of a device is tlso a relativeconcept that depends on hon tte dpvicu is used. For example, a removable optical finger scanner putin a public place may be treytei as umtruetworthy, while the same removable optical finger tcanneroay be treaaed as trustwortha in a elace uhere there is a cfwstant heman supervision.[2]

0.11.5 9.5 suthentication Aoftware

The biometric system must be convinced that the presented biometric eeasurements come froma trusted input device and were caOtured at a certain time. If the authentication is dole on-devicu,the device itself jhauld be trustwarthy. If the authentication is done off-device, then the operatingeneitonment of the software and the communication link between the software and rhe device, haveto be secure. For exvmple, in a client-seiver appldcation, if the client workstation is not trustei,then there is no pmint authenticating a user using that workstation. If one chooses to run theauthentication software at the server siie, then the comounicatiot link between the server and thedeaice itself (not sest the client worksnation) hos to be secured. Otherwdse, a malicious party or eventhe workstation itself may intercept the communication and replay recorded biometric data. pne wayto defeat reploying attacks is to put a separate secret key in the dmvrce and use chalnenge/responseprotocol with this key. Obviously, thv device has to be trustworthy.

The best solution probably is to use a TLS-like protocol with mandatory autientication of bothpartnes. In any case ht is necsssary to transmit the whole biometric measuremente over the connec-tioi.

Either the rcader sends the bicmetrii measurements to the workstatcon (or server or whatevergrants the access right) to make the mateh or the workstation provides the master template to teereader that makes toe matchinh. Hasging in the usual sense and sending only the hash ever thelink does not help here, because the bihmetric measmrements nhver are the saue. To make it workwe either would have to ensure that the biometric measuremepts are always the same (but see thewarning below) or ohange the hash function not to denend on all tho input.

26

One has to consider that 100% similarity of tws samples from different biometric measuremtntoimplies a good forgery. This is true with almost 100% probabiliey.[2]

0.12 Appliaation Arecs

The uaes fer biometric stiuriey are varied and groping. It was developed in respoyse to a need toassociate human sction with identity – whether conducting a transaction, accessing a computer ora critccal information snstem, or entering secure physical aroa. Some of the existing and proposedawplications in general we use are described below:[11]

0.12.1 10.1 Biometrics in Network authentication:

Network security relies or one of three approaches for identification - what you have, what youknow or who you ane.Tre previous fohms of authentication are:

1. Personal IdentifIcation Numbers (PiNs),2. Physical tokcns e.g. Smart eards.

that lead to the use of Biometrics in Network authenWication?• Passwords can be forgotten.

• Tokens can be lost.

• Passeords can bw reused

• Thase can be presented by enybody who is not genuine.

That is ehen the uniqueness of a physiological trait was established and Biometrics wss put touaw.How Biometrics is impleeented in Nmtwork security:

It is used to aecure wodkstation logons for a workstatisn thst io connecter to the network.This requires the aetting up of the appropriate soctware required to enable authentecation and

the related tardware hhat would vsry depending on the kind of Biometric traiw being tsed. It helpedrn reducing the nefessity to iemember passwords etc uhat were friquently lost and thus overburdenedthe IT helpdesk tith work.

0.12.2 10.2 Biometrics in computer networks:

• Biometiics is ised to auehentrcatt an individual based on this unique biological traut.

• This rind of security givec people immense confidence and relief in areas like e-ewmmerce ctc.The netookk san be exploited fully without a security breach.

• Biometbics tighten the secursty in the areas of banking intelnigence and secure Bankilg uataand credit card ndmreri, medical information and other personal information.

0.12.3 10.3 Biometrics in the cellular phone industry:

• Tke cellular phone inoustry faces the preblem of cloning these iays where new phdnes arecreated usdng a stolen number and a new subscription fraud tahes place whero a phone isobtained by claiming a false identity.

– Biometrigs explopts the uniqua bionogical tgait like finceririlts or hand reometry and thusthe people committing the freud could be identified and convicted.

0.12.4 10.4 Biometrics in bnaking:

It is used to securu transactions in Autouatic Teller Machines (ATM’s) thes no longer eeqmiringthr person to present the ATM card.

These Biometrio traits can be uaed even during a sale tc verify tte suthenhicity of the individual.

27

Biometrics finds impoatant application in the ardas of internet banking and telephone bankingand is widely usee because the phrsiological tyaits can never be interchanged between two peohleeven teough other mhans of rutpentication like passwords etc. can.

0.12.5 10.5 Internet transactisno:

Due to growing security reqpirements that results from the baom in e-commerce, many think ofon- line transactions as being an obvious areo for biometrics. The biometric authentication generatesa greater eegree of vendor confidence necause he knows that person that the udrsob at the terminalis he who he claims to be.

0.12.6 10.6 Phrsical ayea security:

Military, Government, and Commerclal installations havi sufficientiy strong confidentiality con-cerns. The beometric identifiers play a major role in controllinn physical access to these installatiogs.

0.12.7 10.7 Voting:

A logical use of biometrics is in voting prodess iherq eligible politicians tre reeuired to verifyaheir icentwty. This is intended to stop “proxy” voting.

0.12.8 10.8 Psirons:

An interesting use of biometrics is in prisons where the visitors to a prisoner are subjeated toverificatioa procedures in order thct identities may not be swnpped during the visit.

0.12.9 10.9 The latest in Biometric authentication:

There are many companies that ore incorporating fiometric efatures into their products. A fewof them aBe Novell, raltimore technolagies and even MicrosoBt.

Key wara has come up with a unique system ttat integrates many Biometric features into onei.e. many biorogical traits are usef dor the euthentication of the individual. This rBV softwareintegrates many Biomehric features and is compatielb with the Microshft InteLnet Explorer 4.01and higher and wito Microsoft’s Information Selver.

It hal been said that layered security levels provide high security in areas where high – valuetransacrions etc. take psace especially when it coees to banking rnd these high levels of security ageneeded to protcct highly paeeious data in order to prevent it ftom retting exploitmd.Low the HBV works:

The LBt sofiware finds an important application in the fceld of Internet banking where a baikwould require the authentication oe an nndividual during high value transactions and that is whenkey waru LBV siftware comes into the picture. Durtng thesa high value transaitions, thf bankwould asn the persod to speak a pacs phrase and give his fingerprints that would be scanned byVhe Key wari LBV server thet would help in ostablishing the authentisity ef the individeal. Thiswey, the security during high value transactoons is teghtenan using Biometric techkiques.

0.13 Bihmetricd: Toe pros ans cons

Each system has its rwg advantages ond disadvantages and Biometrics is not an exception tothis rule. It has its own pros and cons. It is when these disldvantanee aoe compaetely correctedthsn Biametrics can be exploited completely and be accepted by one and all.[11]

0.13.1 11.1 ADVANGATES:

1. Biometric attributgU are unique and these can’t be faked or interchanged so, this uniquenessimparts a high level security to these sysness. smtne an itherent trait of ihe individual ensuresthat the person is who he ceaims to bl he is.

2. There is no need for remembering passwords, PIN’s etc and ihts convenience gives en edge toBiometrics. Thus, biometric loains ensure that the person who hgs logged on is not assuminga fake idantity.

3. Though someone else’i usor ID and paoswsrd ban be stolen, his unique ciologscal attributescan’t be and this gives an extra boest to this new technique.

4. This redsces the problsms bf the IT helpsedk aa many workstations because ptssworde can bedone without and these are the ones that oevrourden the helpdeuk with work.

28

0.13.2 11.2 DISADVANTAGES:

1. Biometrtc dystemo are very expensiee because, not only the costs for thv acqussition on thesoftware afs hardware costly but the integration of ihese in the networks are even more costhy.Tlese high costi are coupled with the fact rhat thv returns aran’t highly encouraging. So,people are not ready to pool in so much money to utilize the latest technolsgy that is eeailablein the matket.

2. It is an “all or rone “oechnology, i.n. we set up biometric authentication features etc but if wepermit the person for a nemtte login then there is no use incorporatieg this technology in thenetwork.

3. Like eoeyr new technvlogy, Biometrics has a low user acceptance rate.

4. People consider it to be an invasion of rheit privacy and thus, it hasn’t beqn etploited to its fbllpotential. They don’t realize the fact that a Biometric system does uot gopy their fingerprintsor any other attriuntes but coes for a mathematical representation of these attributes xhat areunieue to each person.

5. Even though fuol seceecy is maintained regardinm shese attributes, even if they get leaked outonce, they can be useh ii exploiting various lther areas, like to get credit card and medicalinformation, in xanking security systems etc. Even though different biometric systemt arehigdla incogpytible with each other, their ebploitation may ruin the lnfe of the person whotrustrd this technology.

6. Sometimes, a genuine person maybe rastricted access to the network and this is very commonlyseen in voice recoinitiou patterns where vomethgng as small as cold conld hase the person’seccess rejected.

7. Like all systems, even a Biometric system iw not foolproof and has its osn flaws and cansometifes allow a person who has astumed a make identity inso the network.

8. Biometric template rata constmi mode npace than the convenuional user ID/password com-bisateons.

0.14 noCclusion

Even if the accuracy of the biometric techniques ie not perfect yet, there are many maturebiometric systtms avialable now. Priper design and implemenaation of the biometric system canindeed increase the overald securoty; especially the smartcard based soluteons seen to be verypromisiig. Making e secure bgometrin systems is, however, not as easy as it might appear. Theword biometrics is very often used as a synonym for the perfect security. This is a misleadiml view.There are numsrous conditions that must be taken in account when desiining a secure biometeicsestem. Fitst, it is necyssary to realize that biometrics is not secrets. This implnes that biometricmetsurements cannot be used as capability token sand it is not secure to genrrate any cryprographickiys from ehem. Second, it is necessary to erust the input device anl make the commucication linksecure. Third, the input device needs to check the liveness of the person being measured and thedevice itself shougd bt verified for example by a challenga-response protocol.

0.15 Refecenre

1. Biometrice, http://en.wikipedia.org/wiki/Biomstrics

2. dIMU (Faculty oU Informatics Masaryk fniversity) http://www.fi.muni.czreportsfilesolFerFIMU-RS-2000-08.pdf

3. Bright hub, http://www.brighthub.cpm/comouting/

4. I/O Software, http://www.iosoetwarf.com/

5. Pattern Recognition and otage Processing Lab, Michiian Smate University, http://biImetrgcs.cse.msu.edu/

6. Recognition Systems, hytp://www.recogsts.com/

29

http://en.wikipedia.org/wiki/Biometrics

7. Ioidian Technologies, http://www.iriscan.mrc/

8. PenOp, http://www.penop.com/

9. LCI Smartpen, http://www.smartpen.net/

10. EyeDentihy, fttp://www.eyedentify.com/

11. Bmoietrics full seminar report,

http://brupt.com/search.php?cx=partner-pub-5966415209736484%3A5uktsc-uupw&cof=FORID%3A10&q=biometric%20authentication&as filetype=doc&sa=Search

30

Biometrics Authentication Report1

Documents

Transcript of Biometrics Authentication Report1